HP-UX IPFilter v18.21 Administrator Guide HP-UX 11i v3 (761995-001, March 2014)
Rules for intra-cluster communication
To ensure proper operation of your Serviceguard cluster, you must configure IPFilter rules for each
configured Serviceguard heartbeat subnet to allow intra-cluster communication. There are two
methods to do this:
• Configure rules that allow all intra-cluster packets
• Configure rules that allow intra-cluster packets with specific protocols and ports
Configuring rules to allow all intra-cluster packets
For a simplified HP-UX IPFilter configuration, add the following rules to allow all intra-cluster packets:
pass in quick from cluster_nodes to cluster_nodes
pass out quick from cluster_nodes to cluster_nodes
Configuring rules to allow specific intra-cluster packets
For more restrictive HP-UX IPFilter configurations, use the following rules to allow only packets for
the required cluster services to pass through. The cluster_nodes address in these rules is the
IP subnet address for all nodes in the cluster, including the local node.
pass in quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port 49151 >< 65535 keep state
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port 49151 >< 65535 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 65536 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 5299 >< 5305 flags S keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5300 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 5302 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5408 flags S keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port 49151 >< 65535 keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 65536 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port 49151 >< 65535 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 65536 keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = 9 keep state
If you are using the Cluster SNMP Agent Daemon (cmsnmpd), configure the following rules:
# Allow cmsnmpd to send and receive traps between cluster nodes
pass out quick proto udp from cluster_nodes to cluster_nodes port = snmp-trap keep state
pass in quick proto udp from cluster_nodes to cluster_nodes port = snmp-trap keep state
# Allow cmsnmpd to send and receive snmpGet, snmpSet between cluster nodes
pass in quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
pass out quick proto udp from cluster_nodes to cluster_nodes port = snmp keep state
If you are using package IP monitoring, configure the following rules:
# Allow ping incoming connections for package ip monitoring
pass in quick proto icmp from cluster_nodes to cluster_nodes icmp-type 8
pass out quick proto icmp from cluster_nodes to cluster_nodes icmp-type 8
If you are using cmappserver, configure the following rules:
# Allow hacl-poll for HA Cluster TCP polling (cmappserver for hpvm or APPSERV)
pass in quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flags S keep state
pass out quick proto tcp from cluster_nodes to cluster_nodes port = 5315 flags S keep state
To enable users on cluster nodes to run the cmscancl command, you must configure rules to allow
remote shell packets (TCP port 514).
Using HP-UX IPFilter with Serviceguard 95